Dissecting
@belogor
Agenda
o Fake Antivirus
o Ransomware History
o Cryptolocker
o Cryptowall
o Wrap-up and Q&A
Fake Antivirus timeline
Mac Defender
Antivirus XP 2008
2005 2008 2009 2010 2011 2012 2013 2014
WinFixer
PC Optimizer Pro
WinFixer
XP Antivirus 2008
Affiliate Username Account Balance (USD)
nenastniy $158,568.86
krab $105,955.76
rstwm $95,021.16
newforis $93,260.64
slyers $85,220.22
ultra $82,174.54
cosma2k $78,824.88
dp322 $75,631.26
iamthevip $61,552.63
dp32 $58,160.20
2011 - Mac Defender
2011 - Mac Defender
o Pavel Vrublevsky Sentenced to 2.5 Years
2013 – Antivirus Plus
2015 PC Optimizer Pro
PC Optimizer Pro
PGPCoder Trojan – 1024 RSA key, collects money via EGOLD
Bitcoin was invented by Satoshi Nakamoto
Reveton Trojan, aka Police Trojan. collects money via Moneypak
BitCoin becomes popular, Cryptolocker appears
Cryptowall, TeslaCrypt
Ransomware History
2005
2009
2012
2013
2014
TeslaCrypt
TeslaCrypt
Kovter
Cryptolocker History
September
2013
October
2013
November
2013
December
2013
February
2014
May
2014
June
2014
Cryptowall, BitCrypt
Android - Simplelocker
Cryptolocker
author identified
and added to most
wanted list
Cryptolocker 2.0
CryptoLocker Decryption Service
introducedCryptolocker 1.0
appeared
Poll #1
Who does Cryptolocker target?
o Governments
o Individuals
o Corporations
o All of the above
What is Cryptolocker?
o Began September 2013
o Encrypts victim’s files, asks for $300 ransom
o Impossible to recover files without a key
o Ransom increases after deadline
o Goal is monetary via Bitcoin
o 250,000+ victims worldwide
(According to Secureworks)
If you see this screen - You are infected
Image source: FBI
Who pays the ransom?
Police department paid $750 to decrypt images and word documents
Who pays the ransom?
In the Australia, a Townsville sex shop paid $1,058 to ransomware attackers.
Cryptolocker Mastermind
According to the FBI, losses are “more than $100 million.”
Image source: FBI
Attribution
Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russia.
nickname “Slavik” ,indicted for conspiracy, computer
hacking, wire fraud, bank fraud, and money laundering .
Bogachev is identified as a leader of a cyber gang
of criminals based in Russia and Ukraine that is
responsible both GameOver Zeus and
Cryptolocker.
Cryptolocker Victims and Damages
o Dell SecureWorks estimates that CryptoLocker has infected
250,000 victims. The average payout is $300 each
o 1 million dollars a day.
o $27 million in ransom in first 2 months (FBI)
Cryptolocker Victims and Damages
Image source: FBI
Poll #2
What percentage of victims pay the ransom?
o 0.1%
o 1%
o 25%
o 41%
41% of people pay ransom
Data from a Jan 2014 survey by University of Kent
http://www.cybersec.kent.ac.uk/Survey2.pdf
Cryptolocker overview
z
Bitcoin Ransom Sent
C&C
Server
Private Key Sent
Locked Files
Unlocked Files
Cryptolocker analysis
- Drops copy of itself in %APPDATA%{random}.exe
- It creates the following autorun key.
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun "CryptoLocker":<random>.exe
- It creates two processes of itself. The other acts as a watchdog.
Later versions of CryptoLocker create an additional registry entry:
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunOnce "*CryptoLocker":<random>.exe
Cryptolocker C&C
Domain Generation Algorithm
It uses any of the following TLD for every generated domain:
.com , .net , .biz, .ru , .org , .co.uk , .info
1 2
3
4
Encrypt Files with the public key flow
5
6
Cryptolocker C&C
CnC - Sinkholed – what does it mean?
CryptoLocker Victims
Filename and Extensions Encrypted by CryptoLocker
Cryptolocker analysis
It searches in all local and remote drives for files to encrypt.
All files that are encrypted are also saved in the following registry for record:
HKEY_CURRENT_USERSoftwareCryptoLockerFiles
The only way to decrypt is to buy the private key from the
attackers.
Cryptolocker Ransom
Payment options: moneypak,
ukash,
cashu, bitcoin
Price: $300 USD or 2 BTC
Cryptolocker 2.0
Original Cryptolocker Cryptolocker 2.0
Compiler C++ .NET
Encryption RSA-2048 RSA-4096
C&C servers Employs DGA No DGA
Payment Scheme moneypak, ucash, cashu, bitcoin bitcoin only
Around December 2013, a new ransomware emerged claiming to be
Cryptolocker 2.0.
Drops copy of itself in %system%. As msunet.exe
@belogor
Cryptodefense aka Cryptowall
o Cryptodefense is a newer variant of Cryptolocker.
o appeared in Feb 2014
o no GUI
o pops up a webpage, drops text file
o Uses TOR for anonymous payments
CryptoWall 3.0 example
Cryptodefense aka Cryptowall
CryptoWall
Video
Android SimpleLocker
May 2014 – Simplelocker appears in Ukraine
- Asks for $22 USD using Monexy
- Uses TOR for C&C
Checks SD card for:
jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4
Unlike Cryptolocker,
Encryption key is hardcoded
on the malware. Encrypted
files are appended with
“.enc”.
Simplelocker
Image: NioGuard
Summary
1. Cryptowall evolved into a major threat allowing criminals to
easily monetize malware infections via Bitcoin
2. Due to current geopolitical situation, Russian attackers will
likely continue the barrage against US businesses and
individuals while enjoying safe haven in their home country.
3. Cryptowall needs public key to encrypt files so blocking
known C&C servers may help prevent data encryption
4. Backup your files! Since decrypting the Cryptowall
encrypted files is not impossible frequent backups become
even more critical. And keep your backup offline.
Thank You!
Twitter: @belogor

cryptowall_dissected

  • 1.
  • 2.
    Agenda o Fake Antivirus oRansomware History o Cryptolocker o Cryptowall o Wrap-up and Q&A
  • 3.
    Fake Antivirus timeline MacDefender Antivirus XP 2008 2005 2008 2009 2010 2011 2012 2013 2014 WinFixer PC Optimizer Pro
  • 4.
  • 5.
    XP Antivirus 2008 AffiliateUsername Account Balance (USD) nenastniy $158,568.86 krab $105,955.76 rstwm $95,021.16 newforis $93,260.64 slyers $85,220.22 ultra $82,174.54 cosma2k $78,824.88 dp322 $75,631.26 iamthevip $61,552.63 dp32 $58,160.20
  • 6.
    2011 - MacDefender
  • 7.
    2011 - MacDefender o Pavel Vrublevsky Sentenced to 2.5 Years
  • 8.
  • 9.
  • 10.
  • 12.
    PGPCoder Trojan –1024 RSA key, collects money via EGOLD Bitcoin was invented by Satoshi Nakamoto Reveton Trojan, aka Police Trojan. collects money via Moneypak BitCoin becomes popular, Cryptolocker appears Cryptowall, TeslaCrypt Ransomware History 2005 2009 2012 2013 2014
  • 14.
  • 15.
  • 16.
  • 18.
    Cryptolocker History September 2013 October 2013 November 2013 December 2013 February 2014 May 2014 June 2014 Cryptowall, BitCrypt Android- Simplelocker Cryptolocker author identified and added to most wanted list Cryptolocker 2.0 CryptoLocker Decryption Service introducedCryptolocker 1.0 appeared
  • 19.
    Poll #1 Who doesCryptolocker target? o Governments o Individuals o Corporations o All of the above
  • 20.
    What is Cryptolocker? oBegan September 2013 o Encrypts victim’s files, asks for $300 ransom o Impossible to recover files without a key o Ransom increases after deadline o Goal is monetary via Bitcoin o 250,000+ victims worldwide (According to Secureworks)
  • 21.
    If you seethis screen - You are infected Image source: FBI
  • 22.
    Who pays theransom? Police department paid $750 to decrypt images and word documents
  • 23.
    Who pays theransom? In the Australia, a Townsville sex shop paid $1,058 to ransomware attackers.
  • 24.
    Cryptolocker Mastermind According tothe FBI, losses are “more than $100 million.” Image source: FBI
  • 25.
    Attribution Evgeniy Mikhailovich Bogachev,30, of Anapa, Russia. nickname “Slavik” ,indicted for conspiracy, computer hacking, wire fraud, bank fraud, and money laundering . Bogachev is identified as a leader of a cyber gang of criminals based in Russia and Ukraine that is responsible both GameOver Zeus and Cryptolocker.
  • 26.
    Cryptolocker Victims andDamages o Dell SecureWorks estimates that CryptoLocker has infected 250,000 victims. The average payout is $300 each o 1 million dollars a day. o $27 million in ransom in first 2 months (FBI)
  • 27.
    Cryptolocker Victims andDamages Image source: FBI
  • 28.
    Poll #2 What percentageof victims pay the ransom? o 0.1% o 1% o 25% o 41%
  • 29.
    41% of peoplepay ransom Data from a Jan 2014 survey by University of Kent http://www.cybersec.kent.ac.uk/Survey2.pdf
  • 30.
    Cryptolocker overview z Bitcoin RansomSent C&C Server Private Key Sent Locked Files Unlocked Files
  • 31.
    Cryptolocker analysis - Dropscopy of itself in %APPDATA%{random}.exe - It creates the following autorun key. HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun "CryptoLocker":<random>.exe - It creates two processes of itself. The other acts as a watchdog. Later versions of CryptoLocker create an additional registry entry: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunOnce "*CryptoLocker":<random>.exe
  • 32.
    Cryptolocker C&C Domain GenerationAlgorithm It uses any of the following TLD for every generated domain: .com , .net , .biz, .ru , .org , .co.uk , .info 1 2 3 4 Encrypt Files with the public key flow 5 6
  • 33.
    Cryptolocker C&C CnC -Sinkholed – what does it mean?
  • 34.
    CryptoLocker Victims Filename andExtensions Encrypted by CryptoLocker
  • 35.
    Cryptolocker analysis It searchesin all local and remote drives for files to encrypt. All files that are encrypted are also saved in the following registry for record: HKEY_CURRENT_USERSoftwareCryptoLockerFiles The only way to decrypt is to buy the private key from the attackers.
  • 36.
    Cryptolocker Ransom Payment options:moneypak, ukash, cashu, bitcoin Price: $300 USD or 2 BTC
  • 37.
    Cryptolocker 2.0 Original CryptolockerCryptolocker 2.0 Compiler C++ .NET Encryption RSA-2048 RSA-4096 C&C servers Employs DGA No DGA Payment Scheme moneypak, ucash, cashu, bitcoin bitcoin only Around December 2013, a new ransomware emerged claiming to be Cryptolocker 2.0. Drops copy of itself in %system%. As msunet.exe
  • 38.
  • 39.
    Cryptodefense aka Cryptowall oCryptodefense is a newer variant of Cryptolocker. o appeared in Feb 2014 o no GUI o pops up a webpage, drops text file o Uses TOR for anonymous payments
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
    Android SimpleLocker May 2014– Simplelocker appears in Ukraine - Asks for $22 USD using Monexy - Uses TOR for C&C Checks SD card for: jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4 Unlike Cryptolocker, Encryption key is hardcoded on the malware. Encrypted files are appended with “.enc”.
  • 45.
  • 46.
    Summary 1. Cryptowall evolvedinto a major threat allowing criminals to easily monetize malware infections via Bitcoin 2. Due to current geopolitical situation, Russian attackers will likely continue the barrage against US businesses and individuals while enjoying safe haven in their home country. 3. Cryptowall needs public key to encrypt files so blocking known C&C servers may help prevent data encryption 4. Backup your files! Since decrypting the Cryptowall encrypted files is not impossible frequent backups become even more critical. And keep your backup offline.
  • 47.